North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Open Letter to D-Link about their NTP vandalism

  • From: Jared Mauch
  • Date: Sat Apr 08 10:15:03 2006

On Sat, Apr 08, 2006 at 03:15:24AM -0400, [email protected] wrote:
> On Fri, 07 Apr 2006 20:16:03 EDT, Jared Mauch said:
> 
> > 	My suggestion is rename from gps -> gps1 and drop the gps
> > dns name.  That combined with some bind/whatever views that
> > scope the dns responses are effective since it's a DNS name.
> 
> That will fix the problem.  In 2012 or so.
> 
> I have a hostname that just now saw 500 NTP packets in 112 seconds.  OK, so
> it's only 5 packets per second.
> 
> Mind you, that hostname *was* at one time a stratum-2 server.  But it moved to
> a different host on April 7, 2000 - 6 *years* ago.  One year after that, it

...

	So, I've run various services over the years, including at one
time being hostmaster at cic.net and dealt with renaming and renumbering
our dns servers once or twice.  At one time our server spurce.cic.net
was numbered 35.42.1.100, and we tried to renumber it to 198.87.18.10.

	We faced numerous challenges in this, as we had customers
that would use it as the secondary dns server so we not only had to
get them to change everything, but back in the bind4 days, it was
common to stick out-of-zone glue in various files.  This could have
the impact of dns cache poisoning.  We spent a lot of time tracking
down the offenders and getting them to fix the zone files.

	I'm sure still today merit is seeing dns tarffic to 35.42.1.100
and that whatever is at the (still valid dns record) for spruce
is seeing dns queries from someones win95 dialup host.

	This is something that is very common that those who have run dns
services have seen.

	The same is true for any other service out there, uu.net folks
are famaliar with having their dns server being used by people that
are not their customers anymore for recursion, this is quite common.

	If networks find this a problem, they should also consider asking
the community for support, there may be people willing to add that IP
to their various ntp servers, or in the case of dns-anycast, to their
existing resolver systems.

	I do think that the vendor in question here should do
something to help.  I'm just glad that I don't own any of their
products.

	- jared

-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.